diff options
| author | Hans Insulander <hin@cvs.openbsd.org> | 2002-02-06 09:10:03 +0000 |
|---|---|---|
| committer | Hans Insulander <hin@cvs.openbsd.org> | 2002-02-06 09:10:03 +0000 |
| commit | 9a623bbcac17640219344d0acdcd0ccecfb6ac01 (patch) | |
| tree | 8b0593b3207a47dc4f33fb7ff965064a97d9d5c8 /kerberosV | |
| parent | adb70fb71f5eaead1f3b0e93cc8dde4d80834bd4 (diff) | |
Merge heimdal-0.4e
Diffstat (limited to 'kerberosV')
31 files changed, 582 insertions, 471 deletions
diff --git a/kerberosV/src/admin/list.c b/kerberosV/src/admin/list.c index 3fa5a1e3485..ed1305be1ac 100644 --- a/kerberosV/src/admin/list.c +++ b/kerberosV/src/admin/list.c @@ -33,7 +33,7 @@ #include "ktutil_locl.h" -RCSID("$KTH: list.c,v 1.8 2001/05/11 00:54:01 assar Exp $"); +RCSID("$KTH: list.c,v 1.9 2001/06/18 01:24:29 joda Exp $"); static int help_flag; static int list_keys; @@ -122,11 +122,11 @@ do_list(const char *keytab_string) ((unsigned char*)entry.keyblock.keyvalue.data)[i]); CHECK_MAX(key); } - kp->next = NULL; *kie = kp; kie = &kp->next; krb5_kt_free_entry(context, &entry); } + *kie = NULL; /* termiate list */ ret = krb5_kt_end_seq_get(context, keytab, &cursor); printf("%-*s %-*s %-*s", max_version, "Vno", diff --git a/kerberosV/src/appl/ftp/ftpd/ftpd.c b/kerberosV/src/appl/ftp/ftpd/ftpd.c index 4ec0751e5f5..7f64290da80 100644 --- a/kerberosV/src/appl/ftp/ftpd/ftpd.c +++ b/kerberosV/src/appl/ftp/ftpd/ftpd.c @@ -38,7 +38,7 @@ #endif #include "getarg.h" -RCSID("$KTH: ftpd.c,v 1.157 2001/04/19 14:41:29 joda Exp $"); +RCSID("$KTH: ftpd.c,v 1.159 2001/08/28 19:02:09 nectar Exp $"); static char version[] = "Version 6.00"; @@ -68,6 +68,7 @@ struct passwd *pw; int debug = 0; int ftpd_timeout = 900; /* timeout after 15 minutes of inactivity */ int maxtimeout = 7200;/* don't allow idle time to be set beyond 2 hours */ +int restricted_data_ports = 1; int logging; int guest; int dochroot; @@ -217,6 +218,7 @@ struct getargs args[] = { { NULL, 't', arg_integer, &ftpd_timeout, "initial timeout" }, { NULL, 'T', arg_integer, &maxtimeout, "max timeout" }, { NULL, 'u', arg_string, &umask_string, "umask for user logins" }, + { NULL, 'U', arg_negative_flag, &restricted_data_ports, "don't use high data ports" }, { NULL, 'd', arg_flag, &debug, "enable debugging" }, { NULL, 'v', arg_flag, &debug, "enable debugging" }, { "builtin-ls", 'B', arg_flag, &use_builtin_ls, "use built-in ls to list files" }, @@ -1951,6 +1953,8 @@ pasv(void) socket_set_address_and_port (pasv_addr, socket_get_address (ctrl_addr), 0); + socket_set_portrange(pdata, restricted_data_ports, + pasv_addr->sa_family); seteuid(0); if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) { seteuid(pw->pw_uid); @@ -1993,6 +1997,8 @@ epsv(char *proto) socket_set_address_and_port (pasv_addr, socket_get_address (ctrl_addr), 0); + socket_set_portrange(pdata, restricted_data_ports, + pasv_addr->sa_family); seteuid(0); if (bind(pdata, pasv_addr, socket_sockaddr_size (pasv_addr)) < 0) { seteuid(pw->pw_uid); @@ -2165,7 +2171,13 @@ send_file_list(char *whichf) char buf[MaxPathLen]; if (strpbrk(whichf, "~{[*?") != NULL) { - int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE|GLOB_LIMIT; + int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE| +#ifdef GLOB_MAXPATH + GLOB_MAXPATH +#else + GLOB_LIMIT +#endif + ; memset(&gl, 0, sizeof(gl)); freeglob = 1; diff --git a/kerberosV/src/appl/login/login.c b/kerberosV/src/appl/login/login.c index 81dc1d82f3e..6ffe23e9d5b 100644 --- a/kerberosV/src/appl/login/login.c +++ b/kerberosV/src/appl/login/login.c @@ -39,7 +39,7 @@ #include <sys/capability.h> #endif -RCSID("$KTH: login.c,v 1.47 2001/02/20 01:44:45 assar Exp $"); +RCSID("$KTH: login.c,v 1.51 2001/07/06 17:36:48 assar Exp $"); static int login_timeout = 60; @@ -174,10 +174,29 @@ krb5_verify(struct passwd *pwd, const char *password) static krb5_error_code krb5_to4 (krb5_ccache id) { - if (krb5_config_get_bool(context, NULL, - "libdefaults", - "krb4_get_tickets", - NULL)) { + krb5_error_code ret; + krb5_principal princ; + + int get_v4_tgt; + + get_v4_tgt = krb5_config_get_bool(context, NULL, + "libdefaults", + "krb4_get_tickets", + NULL); + + ret = krb5_cc_get_principal(context, id, &princ); + if (ret == 0) { + get_v4_tgt = krb5_config_get_bool_default(context, NULL, + get_v4_tgt, + "realms", + *krb5_princ_realm(context, + princ), + "krb4_get_tickets", + NULL); + krb5_free_principal(context, princ); + } + + if (get_v4_tgt) { CREDENTIALS c; krb5_creds mcred, cred; char krb4tkfile[MAXPATHLEN]; @@ -199,7 +218,7 @@ krb5_to4 (krb5_ccache id) ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred); if(ret == 0) { - ret = krb524_convert_creds_kdc(context, id, &cred, &c); + ret = krb524_convert_creds_kdc_ccache(context, id, &cred, &c); if(ret == 0) { snprintf(krb4tkfile,sizeof(krb4tkfile),"%s%d",TKT_ROOT, getuid()); @@ -456,6 +475,8 @@ do_login(const struct passwd *pwd, char *tty, char *ttyn) exit(1); } #endif + if(do_osfc2_magic(pwd->pw_uid)) + exit(1); if(setgid(pwd->pw_gid)){ warn("setgid(%u)", (unsigned)pwd->pw_gid); if(rootlogin == 0) @@ -472,8 +493,6 @@ do_login(const struct passwd *pwd, char *tty, char *ttyn) check_shadow(pwd, sp); #endif - if(do_osfc2_magic(pwd->pw_uid)) - exit(1); #if defined(HAVE_GETUDBNAM) && defined(HAVE_SETLIM) { struct udb *udb; diff --git a/kerberosV/src/appl/login/login_access.c b/kerberosV/src/appl/login/login_access.c index e2979e637c1..4ee023a108c 100644 --- a/kerberosV/src/appl/login/login_access.c +++ b/kerberosV/src/appl/login/login_access.c @@ -1,3 +1,4 @@ +/************************************************************************ * Copyright 1995 by Wietse Venema. All rights reserved. Some individual * files may be covered by other copyrights. * @@ -24,7 +25,7 @@ #include "login_locl.h" -RCSID("$KTH: login_access.c,v 1.1 1999/05/17 22:40:05 assar Exp $"); +RCSID("$KTH: login_access.c,v 1.2 2001/06/04 14:09:45 assar Exp $"); /* Delimiters for fields and for lists of users, ttys or hosts. */ diff --git a/kerberosV/src/appl/login/utmpx_login.c b/kerberosV/src/appl/login/utmpx_login.c index 81c911f3888..9fbe0bb133b 100644 --- a/kerberosV/src/appl/login/utmpx_login.c +++ b/kerberosV/src/appl/login/utmpx_login.c @@ -1,3 +1,4 @@ +/************************************************************************ * Copyright 1995 by Wietse Venema. All rights reserved. Some individual * files may be covered by other copyrights. * @@ -17,7 +18,7 @@ #include "login_locl.h" -RCSID("$KTH: utmpx_login.c,v 1.25 2001/02/08 16:08:47 assar Exp $"); +RCSID("$KTH: utmpx_login.c,v 1.26 2001/06/04 14:10:19 assar Exp $"); /* utmpx_login - update utmp and wtmp after login */ diff --git a/kerberosV/src/appl/rcp/rcp.c b/kerberosV/src/appl/rcp/rcp.c index 230e8826b19..ee19652eb1a 100644 --- a/kerberosV/src/appl/rcp/rcp.c +++ b/kerberosV/src/appl/rcp/rcp.c @@ -92,6 +92,7 @@ main(int argc, char **argv) char *targ; int optind = 0; + setprogname(argv[0]); if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) usage (1); @@ -133,8 +134,9 @@ main(int argc, char **argv) remin = remout = -1; /* Command to be executed on remote system using "rsh". */ - sprintf(cmd, "rcp%s%s%s", iamrecursive ? " -r" : "", - pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); + snprintf(cmd, sizeof(cmd), + "rcp%s%s%s", iamrecursive ? " -r" : "", + pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); signal(SIGPIPE, lostconn); @@ -151,7 +153,7 @@ main(int argc, char **argv) void toremote(char *targ, int argc, char **argv) { - int i, len; + int i; char *bp, *host, *src, *suser, *thost, *tuser; *targ++ = 0; @@ -178,37 +180,34 @@ toremote(char *targ, int argc, char **argv) if (*src == 0) src = "."; host = strchr(argv[i], '@'); - len = strlen(_PATH_RSH) + strlen(argv[i]) + - strlen(src) + (tuser ? strlen(tuser) : 0) + - strlen(thost) + strlen(targ) + CMDNEEDS + 20; - if (!(bp = malloc(len))) - err(1, "malloc"); if (host) { - *host++ = 0; + *host++ = '\0'; suser = argv[i]; if (*suser == '\0') suser = pwd->pw_name; else if (!okname(suser)) continue; - snprintf(bp, len, + asprintf(&bp, "%s %s -l %s -n %s %s '%s%s%s:%s'", _PATH_RSH, host, suser, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); - } else - snprintf(bp, len, + } else { + asprintf(&bp, "exec %s %s -n %s %s '%s%s%s:%s'", _PATH_RSH, argv[i], cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); + } + if (bp == NULL) + err (1, "malloc"); susystem(bp, userid); free(bp); } else { /* local to remote */ if (remin == -1) { - len = strlen(targ) + CMDNEEDS + 20; - if (!(bp = malloc(len))) - err(1, "malloc"); - snprintf(bp, len, "%s -t %s", cmd, targ); + asprintf(&bp, "%s -t %s", cmd, targ); + if (bp == NULL) + err (1, "malloc"); host = thost; if (do_cmd(host, tuser, bp, &remin, &remout) < 0) @@ -227,18 +226,16 @@ toremote(char *targ, int argc, char **argv) void tolocal(int argc, char **argv) { - int i, len; + int i; char *bp, *host, *src, *suser; for (i = 0; i < argc - 1; i++) { if (!(src = colon(argv[i]))) { /* Local to local. */ - len = strlen(_PATH_CP) + strlen(argv[i]) + - strlen(argv[argc - 1]) + 20; - if (!(bp = malloc(len))) - err(1, "malloc"); - snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP, + asprintf(&bp, "exec %s%s%s %s %s", _PATH_CP, iamrecursive ? " -PR" : "", pflag ? " -p" : "", argv[i], argv[argc - 1]); + if (bp == NULL) + err (1, "malloc"); if (susystem(bp, userid)) ++errs; free(bp); @@ -258,10 +255,9 @@ tolocal(int argc, char **argv) else if (!okname(suser)) continue; } - len = strlen(src) + CMDNEEDS + 20; - if ((bp = malloc(len)) == NULL) - err(1, "malloc"); - snprintf(bp, len, "%s -f %s", cmd, src); + asprintf(&bp, "%s -f %s", cmd, src); + if (bp == NULL) + err (1, "malloc"); if (do_cmd(host, suser, bp, &remin, &remout) < 0) { free(bp); ++errs; @@ -275,22 +271,6 @@ tolocal(int argc, char **argv) } } -static char * -sizestr(off_t size) -{ - static char ss[32]; - char *p; - ss[sizeof(ss) - 1] = '\0'; - for(p = ss + sizeof(ss) - 2; p >= ss; p--) { - *p = '0' + size % 10; - size /= 10; - if(size == 0) - break; - } - return ss; -} - - void source(int argc, char **argv) { @@ -339,8 +319,10 @@ syserr: run_err("%s: %s", name, strerror(errno)); goto next; } #define MODEMASK (S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO) - snprintf(buf, sizeof(buf), "C%04o %s %s\n", - stb.st_mode & MODEMASK, sizestr(stb.st_size), last); + snprintf(buf, sizeof(buf), "C%04o %lu %s\n", + stb.st_mode & MODEMASK, + (unsigned long)stb.st_size, + last); write(remout, buf, strlen(buf)); if (response() < 0) goto next; diff --git a/kerberosV/src/appl/rsh/rshd.c b/kerberosV/src/appl/rsh/rshd.c index ee532b7f292..b395307268f 100644 --- a/kerberosV/src/appl/rsh/rshd.c +++ b/kerberosV/src/appl/rsh/rshd.c @@ -32,7 +32,7 @@ */ #include "rsh_locl.h" -RCSID("$KTH: rshd.c,v 1.41 2001/02/20 01:44:48 assar Exp $"); +RCSID("$KTH: rshd.c,v 1.43 2001/07/31 09:05:45 joda Exp $"); int login_access( struct passwd *user, char *from); @@ -58,11 +58,13 @@ static char tkfile[MAXPATHLEN] = ""; static int do_inetd = 1; static char *port_str; -static int do_rhosts; +static int do_rhosts = 1; static int do_kerberos = 0; static int do_vacuous = 0; static int do_log = 1; static int do_newpag = 1; +static int do_addr_verify = 0; +static int do_keepalive = 1; static int do_version; static int do_help = 0; @@ -102,6 +104,7 @@ fatal (int sock, const char *m, ...) *buf = 1; va_start(args, m); len = vsnprintf (buf + 1, sizeof(buf) - 1, m, args); + len = min(len, sizeof(buf) - 1); va_end(args); syslog (LOG_ERR, "%s", buf + 1); net_write (sock, buf, len + 1); @@ -841,14 +844,16 @@ doit (int do_kerberos, int check_rhosts) } struct getargs args[] = { + { NULL, 'a', arg_flag, &do_addr_verify }, + { "keepalive", 'n', arg_negative_flag, &do_keepalive }, { "inetd", 'i', arg_negative_flag, &do_inetd, "Not started from inetd" }, { "kerberos", 'k', arg_flag, &do_kerberos, "Implement kerberised services" }, { "encrypt", 'x', arg_flag, &do_encrypt, "Implement encrypted service" }, - { "rhosts", 'l', arg_flag, &do_rhosts, - "Check users .rhosts" }, + { "rhosts", 'l', arg_negative_flag, &do_rhosts, + "Don't check users .rhosts" }, { "port", 'p', arg_string, &port_str, "Use this port", "port" }, { "vacuous", 'v', arg_flag, &do_vacuous, diff --git a/kerberosV/src/appl/telnet/telnet/commands.c b/kerberosV/src/appl/telnet/telnet/commands.c index eac310da5fc..d89b2c3f219 100644 --- a/kerberosV/src/appl/telnet/telnet/commands.c +++ b/kerberosV/src/appl/telnet/telnet/commands.c @@ -33,7 +33,7 @@ #include "telnet_locl.h" -RCSID("$KTH: commands.c,v 1.65 2001/02/20 03:12:09 assar Exp $"); +RCSID("$KTH: commands.c,v 1.67 2001/08/29 00:45:20 assar Exp $"); #if defined(IPPROTO_IP) && defined(IP_TOS) int tos = -1; @@ -350,11 +350,12 @@ send_wontcmd(char *name) return(send_tncmd(send_wont, "wont", name)); } +extern char *telopts[]; /* XXX */ + static int send_tncmd(void (*func)(), char *cmd, char *name) { char **cpp; - extern char *telopts[]; int val = 0; if (isprefix(name, "help") || isprefix(name, "?")) { @@ -1564,7 +1565,7 @@ env_init(void) * "unix:0.0", we have to get rid of "unix" and insert our * hostname. */ - if ((ep = env_find("DISPLAY")) + if ((ep = env_find((unsigned char*)"DISPLAY")) && (*ep->value == ':' || strncmp((char *)ep->value, "unix:", 5) == 0)) { char hbuf[256+1]; @@ -1604,7 +1605,8 @@ env_init(void) * USER with the value from LOGNAME. By default, we * don't export the USER variable. */ - if ((env_find("USER") == NULL) && (ep = env_find("LOGNAME"))) { + if ((env_find((unsigned char*)"USER") == NULL) && + (ep = env_find((unsigned char*)"LOGNAME"))) { env_define((unsigned char *)"USER", ep->value); env_unexport((unsigned char *)"USER"); } diff --git a/kerberosV/src/appl/telnet/telnet/externs.h b/kerberosV/src/appl/telnet/telnet/externs.h index 69102df3ad4..17e43cd1b84 100644 --- a/kerberosV/src/appl/telnet/telnet/externs.h +++ b/kerberosV/src/appl/telnet/telnet/externs.h @@ -33,7 +33,7 @@ * @(#)externs.h 8.3 (Berkeley) 5/30/95 */ -/* $KTH: externs.h,v 1.21 2001/03/06 20:10:13 assar Exp $ */ +/* $KTH: externs.h,v 1.23 2001/08/29 00:45:20 assar Exp $ */ #ifndef BSD # define BSD 43 @@ -95,6 +95,8 @@ extern char dont[], will[], wont[], + do_dont_resp[], + will_wont_resp[], options[], /* All the little options */ *hostname; /* Who are we connected to? */ #if defined(ENCRYPTION) @@ -433,3 +435,4 @@ extern int linemode; #ifdef KLUDGELINEMODE extern int kludgelinemode; #endif +extern int want_status_response; diff --git a/kerberosV/src/appl/telnet/telnetd/sys_term.c b/kerberosV/src/appl/telnet/telnetd/sys_term.c index cd927e0ed36..09519a869ae 100644 --- a/kerberosV/src/appl/telnet/telnetd/sys_term.c +++ b/kerberosV/src/appl/telnet/telnetd/sys_term.c @@ -33,7 +33,7 @@ #include "telnetd.h" -RCSID("$KTH: sys_term.c,v 1.100 2001/04/24 23:11:43 assar Exp $"); +RCSID("$KTH: sys_term.c,v 1.103 2001/08/29 00:45:22 assar Exp $"); #if defined(_CRAY) || (defined(__hpux) && !defined(HAVE_UTMPX_H)) # define PARENT_DOES_UTMP @@ -142,6 +142,9 @@ char wtmpf[] = "/etc/wtmp"; #ifdef HAVE_UTIL_H #include <util.h> #endif +#ifdef HAVE_LIBUTIL_H +#include <libutil.h> +#endif # ifndef TCSANOW # ifdef TCSETS @@ -398,7 +401,7 @@ int getpty(int *ptynum) #if SunOS == 40 int dummy; #endif -#if 0 /* && defined(HAVE_OPENPTY) */ +#if __linux int master; int slave; if(openpty(&master, &slave, line, 0, 0) == 0){ @@ -822,8 +825,6 @@ void getptyslave(void) int t = -1; struct winsize ws; - extern int def_row, def_col; - extern int def_tspeed, def_rspeed; /* * Opening the slave side may cause initilization of the * kernel tty structure. We need remember the state of diff --git a/kerberosV/src/appl/xnlock/xnlock.c b/kerberosV/src/appl/xnlock/xnlock.c index 3b13b0bbc88..e7c5ac1a90a 100644 --- a/kerberosV/src/appl/xnlock/xnlock.c +++ b/kerberosV/src/appl/xnlock/xnlock.c @@ -8,7 +8,7 @@ */ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: xnlock.c,v 1.85 2001/03/15 17:13:13 joda Exp $"); +RCSID("$KTH: xnlock.c,v 1.87 2001/06/23 22:20:04 assar Exp $"); #endif #include <stdio.h> @@ -574,7 +574,6 @@ verify_krb5(const char *password) NULL)) { CREDENTIALS c; krb5_creds mcred, cred; - char krb4tkfile[MAXPATHLEN]; krb5_make_principal(context, &mcred.server, client->realm, @@ -583,7 +582,7 @@ verify_krb5(const char *password) NULL); ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred); if(ret == 0) { - ret = krb524_convert_creds_kdc(context, id, &cred, &c); + ret = krb524_convert_creds_kdc_ccache(context, id, &cred, &c); if(ret == 0) tf_setup(&c, c.pname, c.pinst); memset(&c, 0, sizeof(c)); diff --git a/kerberosV/src/doc/setup.texi b/kerberosV/src/doc/setup.texi index a993592f462..89f55e181cb 100644 --- a/kerberosV/src/doc/setup.texi +++ b/kerberosV/src/doc/setup.texi @@ -1,4 +1,4 @@ -@c $KTH: setup.texi,v 1.22 2001/02/11 17:10:34 assar Exp $ +@c $KTH: setup.texi,v 1.25 2001/08/24 05:24:33 assar Exp $ @node Setting up a realm, Things in search for a better place, Building and Installing, Top @@ -209,6 +209,10 @@ following syntax: principal [priv1,priv2,...] [glob-pattern] @end smallexample +The matching is from top to bottom for matching principal (and if given, +glob-pattern). When there is a match, the rights of that lines are +used. + The privileges you can assign to a principal are: @samp{add}, @samp{change-password} (or @samp{cpw} for short), @samp{delete}, @samp{get}, @samp{list}, and @samp{modify}, or the special privilege @@ -399,13 +403,23 @@ slave# /usr/heimdal/libexec/ipropd-slave master & Salting is used to make it harder to precalculate all possible keys. Using a salt increases the search space to make it almost -impossible to precalculate all keys. In salting you just append the salt -to the password, or somehow merge the password with the salt. +impossible to precalculate all keys. Salting is the process of mixing a +public string (the salt) with the password, then sending it through an +encryption-type specific string-to-key function that will output the +fixed size encryption key. + +In Kerberos 5 the salt is determined by the encryption-type, except +in some special cases. + +In @code{des} there is the Kerberos 4 salt +(none at all) or the afs-salt (using the cell (realm in +afs-lingo)). + +In @code{arcfour} (the encryption type that Microsoft Windows 2000 uses) +there is no salt. This is to be compatible with NTLM keys in Windows +NT 4. -In Kerberos 5 the salting is determined by the encryption-type, except -in case of @code{des}. In @code{des} there is the kerberos 4 salting -(none at all) or the afs-salting (using the cell (realm in -afs-lingo)). @code{[kadmin]default_keys} in @file{krb5.conf} controls +@code{[kadmin]default_keys} in @file{krb5.conf} controls what salting to use, The syntax of @code{[kadmin]default_keys} is diff --git a/kerberosV/src/kadmin/kadmin_locl.h b/kerberosV/src/kadmin/kadmin_locl.h index e50c9156da2..460989ea611 100644 --- a/kerberosV/src/kadmin/kadmin_locl.h +++ b/kerberosV/src/kadmin/kadmin_locl.h @@ -32,7 +32,7 @@ */ /* - * $KTH: kadmin_locl.h,v 1.36 2001/05/07 05:32:04 assar Exp $ + * $KTH: kadmin_locl.h,v 1.40 2001/08/22 20:30:24 assar Exp $ */ #ifndef __ADMIN_LOCL_H__ @@ -75,6 +75,9 @@ #ifdef HAVE_UTIL_H #include <util.h> #endif +#ifdef HAVE_LIBUTIL_H +#include <libutil.h> +#endif #ifdef HAVE_NETDB_H #include <netdb.h> #endif @@ -83,7 +86,7 @@ #endif #include <err.h> #include <roken.h> -#ifdef HAVE_OPENSSL_DES_H +#ifdef HAVE_OPENSSL #include <openssl/des.h> #else #include <des.h> @@ -145,6 +148,8 @@ int edit_deltat (const char *prompt, krb5_deltat *value, int *mask, int bit); int edit_entry(kadm5_principal_ent_t ent, int *mask, kadm5_principal_ent_t default_ent, int default_mask); +void set_defaults(kadm5_principal_ent_t ent, int *mask, + kadm5_principal_ent_t default_ent, int default_mask); int set_entry(krb5_context context, kadm5_principal_ent_t ent, int *mask, @@ -159,8 +164,6 @@ foreach_principal(const char *exp, const char *funcname, void *data); -void get_response(const char *prompt, const char *def, char *buf, size_t len); - int parse_des_key (const char *key_string, krb5_key_data *key_data, const char **err); diff --git a/kerberosV/src/kadmin/kadmind.8 b/kerberosV/src/kadmin/kadmind.8 index d2d2d427cd7..7c0f27602c8 100644 --- a/kerberosV/src/kadmin/kadmind.8 +++ b/kerberosV/src/kadmin/kadmind.8 @@ -131,7 +131,7 @@ compiled in defaults: .Ed .\".Sh DIAGNOSTICS .Sh SEE ALSO -.Xr kdc 8 , +.Xr passwd 1 , .Xr kadmin 8 , -.Xr kpasswdd 8 , -.Xr kpasswd 1 +.Xr kdc 8 , +.Xr kpasswdd 8 diff --git a/kerberosV/src/kdc/headers.h b/kerberosV/src/kdc/headers.h index 30ca24a2e46..894bbf43e07 100644 --- a/kerberosV/src/kdc/headers.h +++ b/kerberosV/src/kdc/headers.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ /* - * $KTH: headers.h,v 1.11 2001/02/15 04:20:53 assar Exp $ + * $KTH: headers.h,v 1.13 2001/08/22 20:30:25 assar Exp $ */ #ifndef __HEADERS_H__ @@ -77,13 +77,16 @@ #ifdef HAVE_UTIL_H #include <util.h> #endif +#ifdef HAVE_LIBUTIL_H +#include <libutil.h> +#endif #include <err.h> #include <roken.h> #include <getarg.h> #include <base64.h> #include <parse_units.h> /* openssl/des.h does not have des_random_key, so we don't use it */ -#ifdef XHAVE_OPENSSL_DES_H +#ifdef HAVE_OPENSSL #include <openssl/des.h> #else #include <des.h> diff --git a/kerberosV/src/kdc/kdc_locl.h b/kerberosV/src/kdc/kdc_locl.h index 1e09e1e1182..64f1ebd3896 100644 --- a/kerberosV/src/kdc/kdc_locl.h +++ b/kerberosV/src/kdc/kdc_locl.h @@ -32,7 +32,7 @@ */ /* - * $KTH: kdc_locl.h,v 1.48 2001/01/30 01:44:07 assar Exp $ + * $KTH: kdc_locl.h,v 1.52 2001/08/22 20:30:25 assar Exp $ */ #ifndef __KDC_LOCL_H__ @@ -67,8 +67,6 @@ extern krb5_boolean allow_anonymous; extern char *v4_realm; extern int enable_v4; extern int enable_524; -#endif -#ifdef KASERVER extern krb5_boolean enable_kaserver; #endif @@ -106,13 +104,17 @@ krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*, krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*, const PrincipalName*, size_t*); krb5_error_code encrypt_v4_ticket (void*, size_t, des_cblock*, EncryptedData*); -krb5_error_code get_des_key(hdb_entry*, krb5_boolean, Key**); +krb5_error_code get_des_key(hdb_entry*, krb5_boolean, krb5_boolean, Key**); int maybe_version4 (unsigned char*, int); #endif -#ifdef KASERVER +#ifdef KRB4 krb5_error_code do_kaserver (unsigned char*, size_t, krb5_data*, const char*, struct sockaddr_in*); #endif +#ifdef HAVE_OPENSSL +#define des_new_random_key des_random_key +#endif + #endif /* __KDC_LOCL_H__ */ diff --git a/kerberosV/src/kpasswd/kpasswdd.8 b/kerberosV/src/kpasswd/kpasswdd.8 index ebc487f49fc..0ba3f18bd65 100644 --- a/kerberosV/src/kpasswd/kpasswdd.8 +++ b/kerberosV/src/kpasswd/kpasswdd.8 @@ -1,4 +1,4 @@ -.\" $KTH: kpasswdd.8,v 1.5 2001/06/08 21:35:32 joda Exp $ +.\" $KTH: kpasswdd.8,v 1.6 2001/07/12 08:42:27 assar Exp $ .\" .Dd April 19, 1999 .Dt KPASSWDD 8 @@ -77,12 +77,5 @@ logged to syslog. .Sh BUGS The default password quality checks are too basic. .Sh SEE ALSO -.Xr kdc 8 , -.Xr passwd 1 -.\".Sh ENVIRONMENT -.\".Sh FILES -.\".Sh EXAMPLES -.\".Sh SEE ALSO -.\".Sh STANDARDS -.\".Sh HISTORY -.\".Sh AUTHORS +.Xr passwd 1 , +.Xr kdc 8 diff --git a/kerberosV/src/kpasswd/kpasswdd.c b/kerberosV/src/kpasswd/kpasswdd.c index 81aff7792de..19bf3db158c 100644 --- a/kerberosV/src/kpasswd/kpasswdd.c +++ b/kerberosV/src/kpasswd/kpasswdd.c @@ -32,7 +32,7 @@ */ #include "kpasswd_locl.h" -RCSID("$KTH: kpasswdd.c,v 1.51 2001/05/14 06:18:56 assar Exp $"); +RCSID("$KTH: kpasswdd.c,v 1.52 2001/07/02 16:27:09 assar Exp $"); #include <kadm5/admin.h> @@ -442,7 +442,7 @@ doit (krb5_keytab keytab, int port) sockets = malloc (n * sizeof(*sockets)); if (sockets == NULL) krb5_errx (context, 1, "out of memory"); - maxfd = 0; + maxfd = -1; FD_ZERO(&real_fdset); for (i = 0; i < n; ++i) { int sa_size; @@ -455,14 +455,21 @@ doit (krb5_keytab keytab, int port) if (bind (sockets[i], sa, sa_size) < 0) { char str[128]; size_t len; + int save_errno = errno; + ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len); - krb5_err (context, 1, errno, "bind(%s)", str); + if (ret) + strlcpy(str, "unknown address", sizeof(str)); + krb5_warn (context, save_errno, "bind(%s)", str); + continue; } maxfd = max (maxfd, sockets[i]); if (maxfd >= FD_SETSIZE) krb5_errx (context, 1, "fd too large"); FD_SET(sockets[i], &real_fdset); } + if (maxfd == -1) + krb5_errx (context, 1, "No sockets!"); while(exit_flag == 0) { int ret; diff --git a/kerberosV/src/kuser/kinit.1 b/kerberosV/src/kuser/kinit.1 index 9bd905d8676..b75b9785800 100644 --- a/kerberosV/src/kuser/kinit.1 +++ b/kerberosV/src/kuser/kinit.1 @@ -1,15 +1,15 @@ -.\" $KTH: kinit.1,v 1.11 2001/06/08 21:35:32 joda Exp $ +.\" $KTH: kinit.1,v 1.14 2001/08/31 10:02:21 joda Exp $ .\" .Dd May 29, 1998 .Dt KINIT 1 .Os HEIMDAL .Sh NAME -.Nm kinit , -.Nm kauth +.Nm kinit .Nd acquire initial tickets .Sh SYNOPSIS .Nm kinit .Op Fl 4 | Fl -524init +.Op Fl 9 | Fl -524convert .Op Fl -afslog .Oo Fl c Ar cachename \*(Ba Xo .Fl -cache= Ns Ar cachename @@ -41,8 +41,8 @@ .Oc .Op Fl k | Fl -use-keytab .Op Fl v | Fl -validate -.Oo Fl e Ar enctype \*(Ba Xo -.Fl -enctypes= Ns Ar enctype +.Oo Fl e Ar enctypes \*(Ba Xo +.Fl -enctypes= Ns Ar enctypes .Xc .Oc .Op Fl -fcache-version= Ns Ar integer @@ -162,20 +162,20 @@ issued to an anonymous principal, typically .Pp The following options are only available if .Nm -has been compiled with support for Kerberos 4. The -.Nm kauth -program is identical to -.Nm kinit , -but has these options enabled by -default. +has been compiled with support for Kerberos 4. .Bl -tag -width Ds .It Xo .Fl 4 Ns , .Fl -524init .Xc -Try to convert the obtained Kerberos 5 krbtgt to a version 4 compatible -ticket. It will store this ticket in the default Kerberos 4 ticket -file. +Try to convert the obtained Kerberos 5 krbtgt to a version 4 +compatible ticket. It will store this ticket in the default Kerberos 4 +ticket file. +.It Xo +.Fl 9 Ns , +.Fl -524convert +.Xc +only convert ticket to version 4 .It Fl -afslog Gets AFS tickets, converts them to version 4 format, and stores them in the kernel. Only useful if you have AFS. @@ -201,12 +201,12 @@ command. When it finishes the credentials will be removed. .Sh ENVIRONMENT .Bl -tag -width Ds .It Ev KRB5CCNAME -Specifies the default cache file. +Specifies the default credentials cache. .It Ev KRB5_CONFIG -The directory where the +The file name of .Pa krb5.conf -can be found, default is -.Pa /etc . +, the default being +.Pa /etc/krb5.conf . .It Ev KRBTKFILE Specifies the Kerberos 4 ticket file to store version 4 tickets in. .El @@ -216,8 +216,8 @@ Specifies the Kerberos 4 ticket file to store version 4 tickets in. .Sh SEE ALSO .Xr kdestroy 1 , .Xr klist 1 , -.Xr krb5.conf 5 , -.Xr krb5_appdefault 3 +.Xr krb5_appdefault 3 , +.Xr krb5.conf 5 .\".Sh STANDARDS .\".Sh HISTORY .\".Sh AUTHORS diff --git a/kerberosV/src/kuser/kinit.c b/kerberosV/src/kuser/kinit.c index 8980882779e..5aa3ed2db23 100644 --- a/kerberosV/src/kuser/kinit.c +++ b/kerberosV/src/kuser/kinit.c @@ -32,7 +32,104 @@ */ #include "kuser_locl.h" -RCSID("$KTH: kinit.c,v 1.75 2001/05/07 21:08:15 assar Exp $"); +RCSID("$KTH: kinit.c,v 1.85 2001/09/02 16:57:32 joda Exp $"); + +int forwardable_flag = -1; +int proxiable_flag = -1; +int renewable_flag = -1; +int renew_flag = 0; +int validate_flag = 0; +int version_flag = 0; +int help_flag = 0; +int addrs_flag = 1; +int anonymous_flag = 0; +char *lifetime = NULL; +char *renew_life = NULL; +char *server = NULL; +char *cred_cache = NULL; +char *start_str = NULL; +struct getarg_strings etype_str; +int use_keytab = 0; +char *keytab_str = NULL; +#ifdef KRB4 +int get_v4_tgt = -1; +int do_afslog = -1; +int convert_524; +#endif +int fcache_version; + +static struct getargs args[] = { +#ifdef KRB4 + { "524init", '4', arg_flag, &get_v4_tgt, + "obtain version 4 TGT" }, + + { "524convert", '9', arg_flag, &convert_524, + "only convert ticket to version 4" }, + + { "afslog", 0 , arg_flag, &do_afslog, + "obtain afs tokens" }, +#endif + { "cache", 'c', arg_string, &cred_cache, + "credentials cache", "cachename" }, + + { "forwardable", 'f', arg_flag, &forwardable_flag, + "get forwardable tickets"}, + + { "keytab", 't', arg_string, &keytab_str, + "keytab to use", "keytabname" }, + + { "lifetime", 'l', arg_string, &lifetime, + "lifetime of tickets", "time"}, + + { "proxiable", 'p', arg_flag, &proxiable_flag, + "get proxiable tickets" }, + + { "renew", 'R', arg_flag, &renew_flag, + "renew TGT" }, + + { "renewable", 0, arg_flag, &renewable_flag, + "get renewable tickets" }, + + { "renewable-life", 'r', arg_string, &renew_life, + "renewable lifetime of tickets", "time" }, + + { "server", 'S', arg_string, &server, + "server to get ticket for", "principal" }, + + { "start-time", 's', arg_string, &start_str, + "when ticket gets valid", "time" }, + + { "use-keytab", 'k', arg_flag, &use_keytab, + "get key from keytab" }, + + { "validate", 'v', arg_flag, &validate_flag, + "validate TGT" }, + + { "enctypes", 'e', arg_strings, &etype_str, + "encryption types to use", "enctypes" }, + + { "fcache-version", 0, arg_integer, &fcache_version, + "file cache version to create" }, + + { "addresses", 0, arg_negative_flag, &addrs_flag, + "request a ticket with no addresses" }, + + { "anonymous", 0, arg_flag, &anonymous_flag, + "request an anonymous ticket" }, + + { "version", 0, arg_flag, &version_flag }, + { "help", 0, arg_flag, &help_flag } +}; + +static void +usage (int ret) +{ + arg_printusage (args, + sizeof(args)/sizeof(*args), + NULL, + "[principal [command]]"); + exit (ret); +} #ifdef KRB4 /* for when the KDC tells us it's a v4 one, we try to talk that */ @@ -53,7 +150,7 @@ do_v4_fallback (krb5_context context, const krb5_principal principal, int lifetime, int use_srvtab, const char *srvtab_str, - char *passwd, size_t passwd_size) + const char *passwd) { int ret; krb_principal princ; @@ -93,13 +190,12 @@ do_v4_fallback (krb5_context context, KRB_TICKET_GRANTING_TICKET, princ.realm, lifetime, passwd, &key); } - memset (passwd, 0, passwd_size); memset (key, 0, sizeof(key)); if (ret) { warnx ("%s", krb_get_err_text(ret)); return 1; } - if (k_hasafs()) { + if (do_afslog && k_hasafs()) { if ((ret = krb_afslog(NULL, NULL)) != 0 && ret != KDC_PR_UNKNOWN) { if(ret > 0) warnx ("%s", krb_get_err_text(ret)); @@ -159,98 +255,59 @@ kinit_get_default_principal (krb5_context context, #endif /* !KRB4 */ -int forwardable_flag = -1; -int proxiable_flag = -1; -int renewable_flag = -1; -int renew_flag = 0; -int validate_flag = 0; -int version_flag = 0; -int help_flag = 0; -int addrs_flag = 1; -int anonymous_flag = 0; -char *lifetime = NULL; -char *renew_life = NULL; -char *server = NULL; -char *cred_cache = NULL; -char *start_str = NULL; -struct getarg_strings etype_str; -int use_keytab = 0; -char *keytab_str = NULL; -#ifdef KRB4 -extern int do_afslog; -extern int get_v4_tgt; -#endif -int fcache_version; - -static struct getargs args[] = { -#ifdef KRB4 - { "524init", '4', arg_flag, &get_v4_tgt, - "obtain version 4 TGT" }, - - { "afslog", 0 , arg_flag, &do_afslog, - "obtain afs tokens" }, -#endif - { "cache", 'c', arg_string, &cred_cache, - "credentials cache", "cachename" }, - - { "forwardable", 'f', arg_flag, &forwardable_flag, - "get forwardable tickets"}, - - { "keytab", 't', arg_string, &keytab_str, - "keytab to use", "keytabname" }, - - { "lifetime", 'l', arg_string, &lifetime, - "lifetime of tickets", "time"}, - - { "proxiable", 'p', arg_flag, &proxiable_flag, - "get proxiable tickets" }, - - { "renew", 'R', arg_flag, &renew_flag, - "renew TGT" }, - - { "renewable", 0, arg_flag, &renewable_flag, - "get renewable tickets" }, - - { "renewable-life", 'r', arg_string, &renew_life, - "renewable lifetime of tickets", "time" }, - - { "server", 'S', arg_string, &server, - "server to get ticket for", "principal" }, - - { "start-time", 's', arg_string, &start_str, - "when ticket gets valid", "time" }, - - { "use-keytab", 'k', arg_flag, &use_keytab, - "get key from keytab" }, - - { "validate", 'v', arg_flag, &validate_flag, - "validate TGT" }, - - { "enctypes", 'e', arg_strings, &etype_str, - "encryption types to use", "enctypes" }, +static krb5_error_code +get_server(krb5_context context, + krb5_principal client, + const char *server, + krb5_principal *princ) +{ + krb5_realm *client_realm; + if(server) + return krb5_parse_name(context, server, princ); - { "fcache-version", 0, arg_integer, &fcache_version, - "file cache version to create" }, + client_realm = krb5_princ_realm (context, client); + return krb5_make_principal(context, princ, *client_realm, + KRB5_TGS_NAME, *client_realm, NULL); +} - { "addresses", 0, arg_negative_flag, &addrs_flag, - "request a ticket with no addresses" }, +#ifdef KRB4 +static krb5_error_code +do_524init(krb5_context context, krb5_ccache ccache, + krb5_creds *creds, const char *server) +{ + krb5_error_code ret; + CREDENTIALS c; + krb5_creds in_creds, *real_creds; - { "anonymous", 0, arg_flag, &anonymous_flag, - "request an anonymous ticket" }, + if(creds != NULL) + real_creds = creds; + else { + krb5_principal client; + krb5_cc_get_principal(context, ccache, &client); + memset(&in_creds, 0, sizeof(in_creds)); + ret = get_server(context, client, server, &in_creds.server); + if(ret) + return ret; + ret = krb5_get_credentials(context, 0, ccache, &in_creds, &real_creds); + if(ret) + return ret; + } + ret = krb524_convert_creds_kdc_ccache(context, ccache, real_creds, &c); + if(ret) + krb5_warn(context, ret, "converting creds"); + else { + int tret = tf_setup(&c, c.pname, c.pinst); + if(tret) + krb5_warnx(context, "saving v4 creds: %s", krb_get_err_text(tret)); + } - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } -}; + if(creds == NULL) + krb5_free_creds(context, real_creds); + memset(&c, 0, sizeof(c)); -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "[principal [command]]"); - exit (ret); + return ret; } +#endif static int renew_validate(krb5_context context, @@ -271,21 +328,10 @@ renew_validate(krb5_context context, krb5_warn(context, ret, "krb5_cc_get_principal"); return ret; } - if(server) { - ret = krb5_parse_name(context, server, &in.server); - if(ret) { - krb5_warn(context, ret, "krb5_parse_name"); - goto out; - } - } else { - krb5_realm *client_realm = krb5_princ_realm (context, in.client); - - ret = krb5_make_principal(context, &in.server, *client_realm, - KRB5_TGS_NAME, *client_realm, NULL); - if(ret) { - krb5_warn(context, ret, "krb5_make_principal"); - goto out; - } + ret = get_server(context, in.client, server, &in.server); + if(ret) { + krb5_warn(context, ret, "get_server"); + goto out; } flags.i = 0; flags.b.renewable = flags.b.renew = renew; @@ -317,6 +363,18 @@ renew_validate(krb5_context context, goto out; } ret = krb5_cc_store_cred(context, cache, out); + +#ifdef KRB4 + if(ret == 0 && server == NULL) { + /* only do this if it's a general renew-my-tgt request */ + if(get_v4_tgt) + do_524init(context, cache, out, NULL); + + if(do_afslog && k_hasafs()) + krb5_afslog(context, cache, NULL, NULL); + } +#endif + krb5_free_creds (context, out); if(ret) { krb5_warn(context, ret, "krb5_cc_store_cred"); @@ -327,108 +385,20 @@ out: return ret; } -int -main (int argc, char **argv) +static krb5_error_code +get_new_tickets(krb5_context context, + krb5_principal principal, + krb5_ccache ccache, + krb5_deltat ticket_life) { krb5_error_code ret; - krb5_context context; - krb5_ccache ccache; - krb5_principal principal; - krb5_creds cred; - int optind = 0; krb5_get_init_creds_opt opt; - krb5_deltat start_time = 0; - krb5_deltat ticket_life = 0; krb5_addresses no_addrs; + krb5_creds cred; char passwd[256]; + krb5_deltat start_time = 0; - setprogname (argv[0]); memset(&cred, 0, sizeof(cred)); - - ret = krb5_init_context (&context); - if (ret) - errx(1, "krb5_init_context failed: %d", ret); - - /* XXX no way to figure out if set without explict test */ - if(krb5_config_get_string(context, NULL, "libdefaults", - "forwardable", NULL)) - forwardable_flag = krb5_config_get_bool (context, NULL, - "libdefaults", - "forwardable", - NULL); - -#ifdef KRB4 - get_v4_tgt = krb5_config_get_bool_default (context, NULL, - get_v4_tgt, - "libdefaults", - "krb4_get_tickets", - NULL); -#endif - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) - usage(1); - - if (help_flag) - usage (0); - - if(version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; - - if (argv[0]) { - ret = krb5_parse_name (context, argv[0], &principal); - if (ret) - krb5_err (context, 1, ret, "krb5_parse_name"); - } else { - ret = kinit_get_default_principal (context, &principal); - if (ret) - krb5_err (context, 1, ret, "krb5_get_default_principal"); - } - - if(fcache_version) - krb5_set_fcache_version(context, fcache_version); - - if(cred_cache) - ret = krb5_cc_resolve(context, cred_cache, &ccache); - else { - if(argc > 1) { - char s[1024]; - ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache); - if(ret) - krb5_err(context, 1, ret, "creating cred cache"); - snprintf(s, sizeof(s), "%s:%s", - krb5_cc_get_type(context, ccache), - krb5_cc_get_name(context, ccache)); - setenv("KRB5CCNAME", s, 1); -#ifdef KRB4 - snprintf(s, sizeof(s), "%s_XXXXXX", TKT_ROOT); - close(mkstemp(s)); - setenv("KRBTKFILE", s, 1); - if (k_hasafs ()) - k_setpag(); -#endif - } else - ret = krb5_cc_default (context, &ccache); - } - if (ret) - krb5_err (context, 1, ret, "resolving credentials cache"); - - if (lifetime) { - int tmp = parse_time (lifetime, "s"); - if (tmp < 0) - errx (1, "unparsable time: %s", lifetime); - - ticket_life = tmp; - } - if(renew_flag || validate_flag) { - ret = renew_validate(context, renew_flag, validate_flag, - ccache, server, ticket_life); - exit(ret != 0); - } krb5_get_init_creds_opt_init (&opt); @@ -486,17 +456,6 @@ main (int argc, char **argv) etype_str.num_strings); } -#ifdef KRB4 - get_v4_tgt = krb5_config_get_bool_default (context, - NULL, - get_v4_tgt, - "realms", - krb5_princ_realm(context, - principal), - "krb4_get_tickets", - NULL); -#endif - if(use_keytab || keytab_str) { krb5_keytab kt; if(keytab_str) @@ -542,13 +501,12 @@ main (int argc, char **argv) int exit_val; exit_val = do_v4_fallback (context, principal, ticket_life, - use_keytab, keytab_str, - passwd, sizeof(passwd)); + use_keytab, keytab_str, passwd); + get_v4_tgt = 0; + do_afslog = 0; memset(passwd, 0, sizeof(passwd)); - if (exit_val == 0 || ret == KRB5KRB_AP_ERR_V4_REPLY) { - krb5_free_context (context); + if (exit_val == 0 || ret == KRB5KRB_AP_ERR_V4_REPLY) return exit_val; - } } #endif memset(passwd, 0, sizeof(passwd)); @@ -557,11 +515,9 @@ main (int argc, char **argv) case 0: break; case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */ - memset(passwd, 0, sizeof(passwd)); exit(1); case KRB5KRB_AP_ERR_BAD_INTEGRITY: case KRB5KRB_AP_ERR_MODIFIED: - memset(passwd, 0, sizeof(passwd)); krb5_errx(context, 1, "Password incorrect"); break; default: @@ -576,19 +532,115 @@ main (int argc, char **argv) if (ret) krb5_err (context, 1, ret, "krb5_cc_store_cred"); + krb5_free_creds_contents (context, &cred); + + return 0; +} + +int +main (int argc, char **argv) +{ + krb5_error_code ret; + krb5_context context; + krb5_ccache ccache; + krb5_principal principal; + int optind = 0; + krb5_deltat ticket_life = 0; + + setprogname (argv[0]); + + ret = krb5_init_context (&context); + if (ret) + errx(1, "krb5_init_context failed: %d", ret); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag) { + print_version(NULL); + exit(0); + } + + argc -= optind; + argv += optind; + + if (argv[0]) { + ret = krb5_parse_name (context, argv[0], &principal); + if (ret) + krb5_err (context, 1, ret, "krb5_parse_name"); + } else { + ret = kinit_get_default_principal (context, &principal); + if (ret) + krb5_err (context, 1, ret, "krb5_get_default_principal"); + } + + if(fcache_version) + krb5_set_fcache_version(context, fcache_version); + + if(cred_cache) + ret = krb5_cc_resolve(context, cred_cache, &ccache); + else { + if(argc > 1) { + char s[1024]; + ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache); + if(ret) + krb5_err(context, 1, ret, "creating cred cache"); + snprintf(s, sizeof(s), "%s:%s", + krb5_cc_get_type(context, ccache), + krb5_cc_get_name(context, ccache)); + setenv("KRB5CCNAME", s, 1); #ifdef KRB4 - if(get_v4_tgt) { - CREDENTIALS c; - ret = krb524_convert_creds_kdc(context, ccache, &cred, &c); - if(ret) - krb5_warn(context, ret, "converting creds"); - else - tf_setup(&c, c.pname, c.pinst); - memset(&c, 0, sizeof(c)); + { + int fd; + snprintf(s, sizeof(s), "%s_XXXXXX", TKT_ROOT); + if((fd = mkstemp(s)) >= 0) { + close(fd); + setenv("KRBTKFILE", s, 1); + if (k_hasafs ()) + k_setpag(); + } + } +#endif + } else + ret = krb5_cc_default (context, &ccache); } + if (ret) + krb5_err (context, 1, ret, "resolving credentials cache"); + + if (lifetime) { + int tmp = parse_time (lifetime, "s"); + if (tmp < 0) + errx (1, "unparsable time: %s", lifetime); + + ticket_life = tmp; + } +#ifdef KRB4 + if(get_v4_tgt == -1) + krb5_appdefault_boolean(context, "kinit", + krb5_principal_get_realm(context, principal), + "krb4_get_tickets", TRUE, &get_v4_tgt); +#endif + + + if(renew_flag || validate_flag) { + ret = renew_validate(context, renew_flag, validate_flag, + ccache, server, ticket_life); + exit(ret != 0); + } + +#ifdef KRB4 + if(!convert_524) +#endif + get_new_tickets(context, principal, ccache, ticket_life); + +#ifdef KRB4 + if(get_v4_tgt) + do_524init(context, ccache, NULL, server); if(do_afslog && k_hasafs()) krb5_afslog(context, ccache, NULL, NULL); - krb5_free_creds_contents (context, &cred); #endif if(argc > 1) { pid_t pid = fork(); @@ -616,6 +668,7 @@ main (int argc, char **argv) #endif } else krb5_cc_close (context, ccache); + krb5_free_principal(context, principal); krb5_free_context (context); return 0; } diff --git a/kerberosV/src/lib/des/rnd_keys.c b/kerberosV/src/lib/des/rnd_keys.c index 1a83c3dbf07..e2247a5dbac 100644 --- a/kerberosV/src/lib/des/rnd_keys.c +++ b/kerberosV/src/lib/des/rnd_keys.c @@ -34,7 +34,7 @@ #ifdef HAVE_CONFIG_H #include "config.h" -RCSID("$KTH: rnd_keys.c,v 1.56 1999/12/02 16:58:39 joda Exp $"); +RCSID("$KTH: rnd_keys.c,v 1.58 2001/08/21 15:32:07 assar Exp $"); #endif #include <des.h> @@ -74,10 +74,6 @@ RCSID("$KTH: rnd_keys.c,v 1.56 1999/12/02 16:58:39 joda Exp $"); #include <fcntl.h> #endif -#ifdef HAVE_WINSOCK_H -#include <winsock.h> -#endif - /* * Generate "random" data by checksumming a file. * @@ -194,6 +190,7 @@ sigALRM(int sig) #endif #endif +#ifndef HAVE_SETITIMER static void des_not_rand_data(unsigned char *data, int size) { @@ -204,6 +201,7 @@ des_not_rand_data(unsigned char *data, int size) for(i = 0; i < size; ++i) data[i] ^= random() % 0x100; } +#endif #if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__) diff --git a/kerberosV/src/lib/kadm5/ipropd_slave.c b/kerberosV/src/lib/kadm5/ipropd_slave.c index fe678c0475f..852d976f7f3 100644 --- a/kerberosV/src/lib/kadm5/ipropd_slave.c +++ b/kerberosV/src/lib/kadm5/ipropd_slave.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "iprop.h" -RCSID("$KTH: ipropd_slave.c,v 1.21 2000/08/06 02:06:19 assar Exp $"); +RCSID("$KTH: ipropd_slave.c,v 1.24 2001/08/31 03:12:17 assar Exp $"); static krb5_log_facility *log_facility; @@ -72,10 +72,6 @@ get_creds(krb5_context context, const char *keytab_str, char *server; char keytab_buf[256]; - ret = krb5_kt_register(context, &hdb_kt_ops); - if(ret) - krb5_err(context, 1, ret, "krb5_kt_register"); - if (keytab_str == NULL) { ret = krb5_kt_default_name (context, keytab_buf, sizeof(keytab_buf)); if (ret) @@ -348,7 +344,8 @@ main(int argc, char **argv) master = argv[0]; - krb5_openlog (context, "ipropd-master", &log_facility); + pidfile (NULL); + krb5_openlog (context, "ipropd-slave", &log_facility); krb5_set_warn_dest(context, log_facility); ret = krb5_kt_register(context, &hdb_kt_ops); @@ -430,4 +427,4 @@ main(int argc, char **argv) } return 0; - } +} diff --git a/kerberosV/src/lib/krb5/crypto.c b/kerberosV/src/lib/krb5/crypto.c index 99aef49c00c..65b5757eddf 100644 --- a/kerberosV/src/lib/krb5/crypto.c +++ b/kerberosV/src/lib/krb5/crypto.c @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$KTH: crypto.c,v 1.50 2001/05/14 06:14:45 assar Exp $"); +RCSID("$KTH: crypto.c,v 1.53 2001/08/22 20:30:29 assar Exp $"); #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -1724,7 +1724,7 @@ ARCFOUR_subencrypt(krb5_context context, krb5_keyblock kb; unsigned char t[4]; RC4_KEY rc4_key; - char *cdata = (char *)data; + unsigned char *cdata = data; unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; t[0] = (usage >> 0) & 0xFF; @@ -1780,7 +1780,7 @@ ARCFOUR_subdecrypt(krb5_context context, krb5_keyblock kb; unsigned char t[4]; RC4_KEY rc4_key; - char *cdata = (char *)data; + unsigned char *cdata = data; unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16]; unsigned char cksum_data[16]; @@ -2654,7 +2654,7 @@ krb5_decrypt_EncryptedData(krb5_context context, * * ************************************************************/ -#ifdef HAVE_OPENSSL_DES_H +#ifdef HAVE_OPENSSL #include <openssl/rand.h> /* From openssl/crypto/rand/rand_lcl.h */ @@ -2682,7 +2682,7 @@ seed_something(void) we do not have to deal with it. */ if (RAND_status() != 1) { krb5_context context; - char *p; + const char *p; /* Try using egd */ if (!krb5_init_context(&context)) { @@ -2998,6 +2998,7 @@ krb5_string_to_key_derived(krb5_context context, struct encryption_type *et = _find_enctype(etype); krb5_error_code ret; struct key_data kd; + size_t keylen = et->keytype->bits / 8; u_char *tmp; if(et == NULL) { @@ -3006,13 +3007,28 @@ krb5_string_to_key_derived(krb5_context context, return KRB5_PROG_ETYPE_NOSUPP; } ALLOC(kd.key, 1); + if(kd.key == NULL) { + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + ret = krb5_data_alloc(&kd.key->keyvalue, et->keytype->size); + if(ret) { + free(kd.key); + return ret; + } kd.key->keytype = etype; - tmp = malloc (et->keytype->bits / 8); - _krb5_n_fold(str, len, tmp, et->keytype->bits / 8); - krb5_data_alloc(&kd.key->keyvalue, et->keytype->size); + tmp = malloc (keylen); + if(tmp == NULL) { + krb5_free_keyblock(context, kd.key); + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + _krb5_n_fold(str, len, tmp, keylen); kd.schedule = NULL; - DES3_postproc (context, tmp, et->keytype->bits / 8, &kd); /* XXX */ - ret = derive_key(context, + DES3_postproc (context, tmp, keylen, &kd); /* XXX */ + memset(tmp, 0, keylen); + free(tmp); + ret = derive_key(context, et, &kd, "kerberos", /* XXX well known constant */ diff --git a/kerberosV/src/lib/krb5/keytab_any.c b/kerberosV/src/lib/krb5/keytab_any.c index 07b142e41cd..d3901e3e29e 100644 --- a/kerberosV/src/lib/krb5/keytab_any.c +++ b/kerberosV/src/lib/krb5/keytab_any.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$KTH: keytab_any.c,v 1.2 2001/05/14 06:14:48 assar Exp $"); +RCSID("$KTH: keytab_any.c,v 1.4 2001/06/24 02:22:33 assar Exp $"); struct any_data { krb5_keytab kt; @@ -68,7 +68,7 @@ any_resolve(krb5_context context, const char *name, krb5_keytab id) } if (a0 == NULL) { a0 = a; - a->name = strdup(name); + a->name = strdup(buf); if (a->name == NULL) { krb5_set_error_string(context, "malloc: out of memory"); ret = ENOMEM; @@ -141,8 +141,7 @@ any_start_seq_get(krb5_context context, if (ret) { free (c->data); c->data = NULL; - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + return ret; } return 0; } @@ -165,14 +164,15 @@ any_next_entry (krb5_context context, ret2 = krb5_kt_end_seq_get (context, ed->a->kt, &ed->cursor); if (ret2) return ret2; - ed->a = ed->a->next; + while ((ed->a = ed->a->next) != NULL) { + ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor); + if (ret2 == 0) + break; + } if (ed->a == NULL) { krb5_clear_error_string (context); return KRB5_CC_END; } - ret2 = krb5_kt_start_seq_get(context, ed->a->kt, &ed->cursor); - if (ret2) - return ret2; } else return ret; } while (ret == KRB5_CC_END); diff --git a/kerberosV/src/lib/krb5/krb5.conf.5 b/kerberosV/src/lib/krb5/krb5.conf.5 index 38ed4373ffe..7a3d84f36b9 100644 --- a/kerberosV/src/lib/krb5/krb5.conf.5 +++ b/kerberosV/src/lib/krb5/krb5.conf.5 @@ -1,4 +1,4 @@ -.\" $KTH: krb5.conf.5,v 1.17 2001/05/31 13:58:34 assar Exp $ +.\" $KTH: krb5.conf.5,v 1.22 2001/08/30 18:54:01 joda Exp $ .\" .Dd April 11, 1999 .Dt KRB5.CONF 5 @@ -70,7 +70,7 @@ When obtaining initial credentials, make the credentials proxiable. .It Li no-addresses = Va boolean When obtaining initial credentials, request them for an empty set of addresses, making the tickets valid from any address. -.It Li ticket_life = Va time +.It Li ticket_lifetime = Va time Default ticket lifetime. .It Li renew_lifetime = Va time Default renewable ticket lifetime. @@ -153,8 +153,6 @@ How to print date strings in logs, this string is passed to Write log-entries using UTC instead of your local time zone. .It Li srv_lookup = Va boolean Use DNS SRV records to lookup realm configuration information. -.It Li srv_try_txt = Va boolean -If a SRV lookup fails, try looking up the same info in a DNS TXT record. .It Li scan_interfaces = Va boolean Scan all network interfaces for addresses, as opposed to simply using the address associated with the system's host name. @@ -162,7 +160,8 @@ the address associated with the system's host name. Use file credential cache format version specified. .It Li krb4_get_tickets = Va boolean Also get Kerberos 4 tickets in -.Nm kinit +.Nm kinit , +.Nm login , and other programs. This option is also valid in the [realms] section. .El @@ -192,6 +191,9 @@ to the database are perfomed. Points to the server where all the password changes are perfomed. If there is no such entry, the kpasswd port on the admin_server host will be tried. +.It Li krb524_server = Va Host[:port] +Points to the server that does 524 conversions. If it is not +mentioned, the krb524 port on the kdcs will be tried. .It Li v4_instance_convert .It Li v4_name_convert .It Li default_domain @@ -340,10 +342,10 @@ that reads .Nm and tries to emit useful diagnostics from parsing errors. Note that this program does not have any way of knowing what options are -actually used and thus cannot warn about unknown or misspelt ones. +actually used and thus cannot warn about unknown or misspelled ones. .Sh SEE ALSO -.Xr verify_krb5_conf 8 , -.Xr krb5_openlog 3 , +.Xr kinit 1 , .Xr krb5_425_conv_principal 3 , +.Xr krb5_openlog 3 , .Xr strftime 3 , -.Xr kinit 1 +.Xr verify_krb5_conf 8 diff --git a/kerberosV/src/lib/krb5/krb5.h b/kerberosV/src/lib/krb5/krb5.h index 84d7130ab19..3150d9a382b 100644 --- a/kerberosV/src/lib/krb5/krb5.h +++ b/kerberosV/src/lib/krb5/krb5.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: krb5.h,v 1.190 2001/05/16 22:23:56 assar Exp $ */ +/* $KTH: krb5.h,v 1.196 2001/07/02 22:24:46 joda Exp $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -42,6 +42,7 @@ #include <kerberosV/asn1_err.h> #include <kerberosV/krb5_err.h> #include <kerberosV/heim_err.h> +#include <kerberosV/k524_err.h> #include <kerberosV/krb5_asn1.h> @@ -291,8 +292,8 @@ typedef union { #define KRB5_VERIFY_AP_REQ_IGNORE_INVALID (1 << 0) -#define KRB5_GC_CACHED 1 -#define KRB5_GC_USER_USER 2 +#define KRB5_GC_CACHED (1U << 0) +#define KRB5_GC_USER_USER (1U << 1) /* constants for compare_creds (and cc_retrieve_cred) */ #define KRB5_TC_DONT_MATCH_REALM (1U << 31) @@ -377,7 +378,6 @@ typedef struct krb5_context_data { krb5_boolean scan_interfaces; /* `ifconfig -a' */ krb5_boolean srv_lookup; /* do SRV lookups */ krb5_boolean srv_try_txt; /* try TXT records also */ - krb5_boolean srv_try_rfc2052; /* try RFC2052 compatible records */ int32_t fcache_vno; /* create cache files w/ this version */ int num_kt_types; /* # of registered keytab types */ @@ -385,6 +385,7 @@ typedef struct krb5_context_data { const char *date_fmt; char *error_string; char error_buf[256]; + krb5_addresses *ignore_addresses; } krb5_context_data; typedef struct krb5_ticket { @@ -619,7 +620,8 @@ typedef struct krb5_verify_opt { const char *service; } krb5_verify_opt; -#define KRB5_VERIFY_LREALMS 1 +#define KRB5_VERIFY_LREALMS 1 +#define KRB5_VERIFY_NO_ADDRESSES 2 extern const krb5_cc_ops krb5_fcc_ops; extern const krb5_cc_ops krb5_mcc_ops; @@ -639,6 +641,27 @@ extern const krb5_kt_ops krb5_any_ops; #define KPASSWD_PORT 464 +/* types for the new krbhst interface */ +struct krb5_krbhst_data; +typedef struct krb5_krbhst_data *krb5_krbhst_handle; + +#define KRB5_KRBHST_KDC 1 +#define KRB5_KRBHST_ADMIN 2 +#define KRB5_KRBHST_CHANGEPW 3 +#define KRB5_KRBHST_KRB524 4 + +typedef struct krb5_krbhst_info { + enum { KRB5_KRBHST_UDP, + KRB5_KRBHST_TCP, + KRB5_KRBHST_HTTP } proto; + unsigned short port; + unsigned short def_port; + struct addrinfo *ai; + struct krb5_krbhst_info *next; + char hostname[1]; /* has to come last */ +} krb5_krbhst_info; + + struct credentials; /* this is to keep the compiler happy */ struct getargs; diff --git a/kerberosV/src/lib/krb5/krb5_context.3 b/kerberosV/src/lib/krb5/krb5_context.3 index 14979a05df5..698ec01fa4a 100644 --- a/kerberosV/src/lib/krb5/krb5_context.3 +++ b/kerberosV/src/lib/krb5/krb5_context.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" $KTH: krb5_context.3,v 1.1 2001/01/28 21:39:29 assar Exp $ +.\" $KTH: krb5_context.3,v 1.2 2001/06/24 00:52:53 assar Exp $ .Dd Jan 21, 2001 .Dt KRB5_CONTEXT 3 .Os HEIMDAL diff --git a/kerberosV/src/lib/krb5/krb5_init_context.3 b/kerberosV/src/lib/krb5/krb5_init_context.3 index 56ef56f87f8..e522a63f49a 100644 --- a/kerberosV/src/lib/krb5/krb5_init_context.3 +++ b/kerberosV/src/lib/krb5/krb5_init_context.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" $KTH: krb5_init_context.3,v 1.2 2001/05/23 16:24:02 assar Exp $ +.\" $KTH: krb5_init_context.3,v 1.4 2001/07/12 08:42:28 assar Exp $ .Dd Jan 21, 2001 .Dt KRB5_CONTEXT 3 .Os HEIMDAL @@ -34,6 +34,6 @@ Failure means either that something bad happened during initialization or that Kerberos should not be used .Bq ENXIO . .Sh SEE ALSO -.Xr krb5_context 3 , .Xr errno 2 , +.Xr krb5_context 3 , .Xr kerberos 8 diff --git a/kerberosV/src/lib/krb5/krb5_keytab.3 b/kerberosV/src/lib/krb5/krb5_keytab.3 index fde3036c2bf..65ba9194d6f 100644 --- a/kerberosV/src/lib/krb5/krb5_keytab.3 +++ b/kerberosV/src/lib/krb5/krb5_keytab.3 @@ -1,5 +1,5 @@ .\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" $KTH: krb5_keytab.3,v 1.1 2001/02/05 18:17:46 assar Exp $ +.\" $KTH: krb5_keytab.3,v 1.2 2001/07/12 08:42:28 assar Exp $ .Dd Feb 5, 2001 .Dt KRB5_KEYTAB 3 .Os HEIMDAL @@ -354,5 +354,5 @@ main (int argc, char **argv) } .Ed .Sh SEE ALSO -.Xr kerberos 8 , -.Xr krb5.conf 5 +.Xr krb5.conf 5 , +.Xr kerberos 8 diff --git a/kerberosV/src/lib/krb5/krb5_locl.h b/kerberosV/src/lib/krb5/krb5_locl.h index 1220082158c..300a65051a7 100644 --- a/kerberosV/src/lib/krb5/krb5_locl.h +++ b/kerberosV/src/lib/krb5/krb5_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: krb5_locl.h,v 1.66 2001/05/10 15:31:34 assar Exp $ */ +/* $KTH: krb5_locl.h,v 1.67 2001/08/22 20:30:30 assar Exp $ */ #ifndef __KRB5_LOCL_H__ #define __KRB5_LOCL_H__ @@ -109,29 +109,17 @@ struct sockaddr_dl; #include <parse_time.h> #include <base64.h> -#ifdef HAVE_OPENSSL_DES_H +#ifdef HAVE_OPENSSL #include <openssl/des.h> -#else -#include <des.h> -#endif -#ifdef HAVE_OPENSSL_MD4_H #include <openssl/md4.h> -#else -#include <md4.h> -#endif -#ifdef HAVE_OPENSSL_MD5_H #include <openssl/md5.h> -#else -#include <md5.h> -#endif -#ifdef HAVE_OPENSSL_SHA_H #include <openssl/sha.h> -#else -#include <sha.h> -#endif -#ifdef HAVE_OPENSSL_RC4_H #include <openssl/rc4.h> #else +#include <des.h> +#include <md4.h> +#include <md5.h> +#include <sha.h> #include <rc4.h> #endif diff --git a/kerberosV/src/lib/krb5/krb5_verify_user.3 b/kerberosV/src/lib/krb5/krb5_verify_user.3 index 5da911391f0..3996da40044 100644 --- a/kerberosV/src/lib/krb5/krb5_verify_user.3 +++ b/kerberosV/src/lib/krb5/krb5_verify_user.3 @@ -1,6 +1,6 @@ .\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" $Id: krb5_verify_user.3,v 1.1 2001/06/24 19:05:37 hin Exp $ -.Dd Jun 24, 2001 +.\" $KTH: krb5_verify_user.3,v 1.1 2001/06/27 17:08:04 assar Exp $ +.Dd June 27, 2001 .Dt KRB5_VERIFY_USER 3 .Os HEIMDAL .Sh NAME @@ -16,51 +16,37 @@ .Sh DESCRIPTION The .Nm krb5_verify_user -function verify user -.Fa principal -with -.Fa password . -If the flag -.Fa secure -is given the password is verified against -.Fa service . -As a side effect, fresh tickets are obtained and stored in -.Fa ccache . -If -.Fa password -is -NULL, a password is asked. If +function verifies the password supplied by a user. +The principal whose +password will be verified is specified in +.Fa principal . +New tickets will be obtained as a side-effect and stored in .Fa ccache -is NULL, the default credential-cache is used. -.Pp -The -.Fa service -is the service part service principal. -.Nm krb5_verify_user -take the -.Fa service -and appends the host's name and uses that a the service principal. If +(if NULL, the default ccache is used). +If the password is not supplied in +.Fa password +(and is given as +.Dv NULL ) +the user will be prompted for it. +If +.Fa secure +the ticket will be verified against the locally stored service key .Fa service -is NULL, the service +(by default .Ql host -is used. +if given as +.Dv NULL +). .Pp +The .Nm krb5_verify_user_lrealm -works the same way as -.Nm krb5_verify_user, -with the exception that the realm of +function does the same, except that it ignores the realm in .Fa principal -is ignored and all local realms in -.Xr krb5.conf 5 -are tried. -.Sh BUGS -Not setting -.Fa secure -should be considered a bug since the answer from the KDC isn't -verified. The answer could be faked answer from malicious computer. +and tries all the local realms (see +.Xr krb5.conf 5). .Sh EXAMPLE -Here is a example program that verify a password. If uses the -.Q1 host/`hostname` +Here is a example program that verifies a password. it uses the +.Ql host/`hostname` service principal in .Pa krb5.keytab . .Bd -literal @@ -72,27 +58,28 @@ main(int argc, char **argv) char *user; krb5_error_code error; krb5_principal princ; - krb5_context c; + krb5_context context; if (argc != 2) errx(1, "usage: verify_passwd <principal-name>"); user = argv[1]; - if (krb5_init_context(&c) < 0) + if (krb5_init_context(&context) < 0) errx(1, "krb5_init_context"); - if ((error = krb5_parse_name(c, user, &princ)) != 0) - krb5_err(c, 1, error, "krb5_parse_name"); + if ((error = krb5_parse_name(context, user, &princ)) != 0) + krb5_err(context, 1, error, "krb5_parse_name"); - error = krb5_verify_user(c, princ, NULL, NULL, TRUE, NULL); + error = krb5_verify_user(context, princ, NULL, NULL, TRUE, NULL); if (error) - krb5_err(c, 1, error, "krb5_verify_user"); + krb5_err(context, 1, error, "krb5_verify_user"); return 0; } .Ed .Sh SEE ALSO +.Xr krb5_kt_default 3 , .Xr krb5_init_context 3 , .Xr krb5_err 3 , .Xr krb5.conf 5 |